Pandora, other app makers subpoenaed over user data collection

Pandora has revealed that it received a federal grand jury subpoena asking for …

A federal grand jury has opened an investigation into mobile apps and what kind of personal data they might transmit about users, Pandora has revealed. The streaming music company recently amended its S-1 filing with the Securities and Exchange Commission (SEC) to note that it had been subpoenaed to produce documents about its user data collection on Android and iOS devices, which the company believes is related to an industry-wide probe into how mobile apps capitalize on user information.

"[I]n early 2011, we were served with a subpoena to produce documents in connection with a federal grand jury, which we believe was convened to investigate the information sharing processes of certain popular applications that run on the Apple and Android mobile platforms," Pandora wrote in its filing. "While we were informed that we are not a specific target of the investigation, and we believe that similar subpoenas were issued on an industry-wide basis to the publishers of numerous other smartphone applications, we will likely incur legal costs related to compliance with the subpoena, management’s attention could be diverted and there is no guarantee that we will avoid costly litigation."

According to a "person familiar with the matter" speaking to the Wall Street Journal, the purpose of this grand jury investigation is to find out whether app makers fully describe to users the kinds of information they need, such as geolocation data or a device's unique identifier, and why they need it. Though most other app makers have not publicly commented on the subpoena, the creator of an iOS app called "Pumpkin Maker" told the Journal that he also got a subpoena that requested documentation about the workings of his app.

The investigation may have been sparked by an October 2010 report out of Bucknell University, which said that a majority of iOS apps transmit user data back to their own servers, and that (in some cases) it was an easy task to piece together enough information to identify a user. Just a couple months after that report came out, Apple and several app developers faced a class-action lawsuit over user data collection.

Apple has historically claimed that it effectively anonymizes data that it collects and does not share any of that data with advertisers. However, according to research conducted by the Wall Street Journal last year, data such as location, age, gender, and even sexual orientation or political views are often collected and sent back to Apple, developers, and ad networks themselves.

As Pandora noted in the SEC filing, the focus of the grand jury investigation isn't just limited to Apple or iOS apps—Android apps are beginning to come under fire for the same reasons, and we wouldn't be surprised to hear the same of other mobile platforms that have their own app stores. The investigation appears to be in its early stages and may not result in any charges, though, which seems to be the hope of Pumpkin Maker developer Anthony Campiti.

"They're just doing information-gathering to get a better understanding [of what apps are doing]," Campiti told the Journal. "We're not doing anything wrong and neither is anyone else doing anything wrong."

That's a pretty bold statement, though Pandora also argues that it needs the information it collects so that it can deliver personalized music streams to users. Still, someone in law enforcement is suspicious of the level of information collected and whether users were notified, and developers that are found guilty of misleading users may face federal fraud charges.